Bug#894979: marked as done (ca-certificates-java: does not work with OpenJDK 9, applications fail with InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty)

[Debian Bug Tracking System]

Your message dated Fri, 13 Apr 2018 12:49:39 +0000
with message-id <e1f6y95-00093g...@fasolo.debian.org>
and subject line Bug#894979: fixed in ca-certificates-java 20180413
has caused the Debian Bug report #894979,
regarding ca-certificates-java: does not work with OpenJDK 9, applications fail 
with InvalidAlgorithmParameterException: the trustAnchors parameter must be 
non-empty
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
894979: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=894979
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: ca-certificates-java
Version: 20170930
Severity: important

Hello,

I am getting an error when connecting to HTTPS from java. Looking around
the problem always seems to talk about this package, but please
re-assign if something else is to blame.

Testing with the following code (I don't really know any Java and it's
the first thing I found to test with):

https://gist.github.com/4ndrej/4547029

```
borisov@glossy:~ $ java SSLPoke google.com 443
javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: 
java.security.InvalidAlgorithmParameterException: the trustAnchors parameter 
must be non-empty
        at java.base/sun.security.ssl.Alerts.getSSLException(Alerts.java:214)
        at 
java.base/sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1969)
        at 
java.base/sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1921)
        at 
java.base/sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1904)
        at 
java.base/sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1830)
        at 
java.base/sun.security.ssl.AppOutputStream.write(AppOutputStream.java:71)
        at 
java.base/sun.security.ssl.AppOutputStream.write(AppOutputStream.java:81)
        at SSLPoke.main(SSLPoke.java:23)
Caused by: java.lang.RuntimeException: Unexpected error: 
java.security.InvalidAlgorithmParameterException: the trustAnchors parameter 
must be non-empty
        at 
java.base/sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:89)
        at 
java.base/sun.security.validator.Validator.getInstance(Validator.java:181)
        at 
java.base/sun.security.ssl.X509TrustManagerImpl.getValidator(X509TrustManagerImpl.java:330)
        at 
java.base/sun.security.ssl.X509TrustManagerImpl.checkTrustedInit(X509TrustManagerImpl.java:180)
        at 
java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:192)
        at 
java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:133)
        at 
java.base/sun.security.ssl.ClientHandshaker.checkServerCerts(ClientHandshaker.java:1947)
        at 
java.base/sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1777)
        at 
java.base/sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:264)
        at 
java.base/sun.security.ssl.Handshaker.processLoop(Handshaker.java:1092)
        at 
java.base/sun.security.ssl.Handshaker.processRecord(Handshaker.java:1026)
        at 
java.base/sun.security.ssl.SSLSocketImpl.processInputRecord(SSLSocketImpl.java:1137)
        at 
java.base/sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1074)
        at 
java.base/sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973)
        at 
java.base/sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1402)
        at 
java.base/sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:733)
        at 
java.base/sun.security.ssl.AppOutputStream.write(AppOutputStream.java:67)
        ... 2 more
Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors 
parameter must be non-empty
        at 
java.base/java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200)
        at 
java.base/java.security.cert.PKIXParameters.<init>(PKIXParameters.java:120)
        at 
java.base/java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:104)
        at 
java.base/sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:86)
        ... 18 more
```

I have tried "sudo update-ca-certificates -f" but that did not help.


Thanks,

George

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.15.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages ca-certificates-java depends on:
ii  ca-certificates                                  20170717
ii  default-jre-headless [java8-runtime-headless]    2:1.9-63
ii  libnss3                                          2:3.35-2
ii  openjdk-9-jre-headless [java8-runtime-headless]  9.0.4+12-4

ca-certificates-java recommends no packages.

ca-certificates-java suggests no packages.

-- Configuration Files:
/etc/default/cacerts [Errno 13] Permission denied: '/etc/default/cacerts'

-- debconf-show failed

--- End Message ---

--- Begin Message ---

Source: ca-certificates-java
Source-Version: 20180413

We believe that the bug you reported is fixed in the latest version of
ca-certificates-java, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 894...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Emmanuel Bourg <ebo...@apache.org> (supplier of updated ca-certificates-java 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 13 Apr 2018 14:15:39 +0200
Source: ca-certificates-java
Binary: ca-certificates-java
Architecture: source
Version: 20180413
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers 
<pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Emmanuel Bourg <ebo...@apache.org>
Description:
 ca-certificates-java - Common CA certificates (JKS keystore)
Closes: 889412 894979
Changes:
 ca-certificates-java (20180413) unstable; urgency=medium
 .
   * Team upload.
   * Always generate a JKS keystore instead of using the default format
     (Closes: #894979)
   * Look for Java 10 and Java 11 when detecting the JRE
   * Removed Damien Raude-Morvan from the uploaders (Closes: #889412)
   * Standards-Version updated to 4.1.4
   * Switch to debhelper level 11
Checksums-Sha1:
 96fcf025e6c85846ce696bf3d6b62a047dda7a07 1805 ca-certificates-java_20180413.dsc
 699d5f58937ad3dc1db6f3fef78a2a7888c3d8cd 16416 
ca-certificates-java_20180413.tar.xz
 92da0e62e7a4f2bf754dd2b6141f5146093eb7de 11107 
ca-certificates-java_20180413_source.buildinfo
Checksums-Sha256:
 c252cf62714128f78bc41191607f91f8a430613e61c52cb4afc307b6af022838 1805 
ca-certificates-java_20180413.dsc
 ab7839a1125abec1882d6e7aac7aca3394241effc0ee24652b6f0e51e8a2ac34 16416 
ca-certificates-java_20180413.tar.xz
 cc8dfa16453714ba429c0ba8fcab9fa24352bce7148e72b9c288003541c23523 11107 
ca-certificates-java_20180413_source.buildinfo
Files:
 4c89dfb769a7f332cea78c3fb5261549 1805 java optional 
ca-certificates-java_20180413.dsc
 b1a6001017b6b943cca0d38c686b705c 16416 java optional 
ca-certificates-java_20180413.tar.xz
 5965a4dfd4e700a4c5c1feb6ef0de852 11107 java optional 
ca-certificates-java_20180413_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJGBAEBCgAwFiEEuM5N4hCA3PkD4WxA9RPEGeS50KwFAlrQonwSHGVib3VyZ0Bh
cGFjaGUub3JnAAoJEPUTxBnkudCs+ZMP/2jGh1jkVtdMHmki2BNTYwS3sIYJaBcs
1Kb83DtxxiqOpLcIrhPppqH8Uos/95pD9Fktrt1YM6jEBLWJdV935n7vxiV/r7Ww
8nLOxjU4jpgesBzL89HB1VemLwt5VBU0+xuVZlT9C7nrlaIqAHrlMzxxtNg/rXCN
zfiwVDG0vDku8YFu7DDHCFNvddBcu+BJinJdZ0YLhEvEXfTQOHnioay6h1gfX/7X
KYLnTdORmh226ArqQU9jyLargtKaaurUSWh4lLtIvxzjFE7IjldNiBsYwoYzhiE7
wH71jmLyTcaTxAcU7gclAozIJL7FYh1CTx+bmRhKLccAzDqxjzDD/JmH4j88sS5L
41QxB8BjzTmXjfY6LlY3SAd+ZVFhl9LmQ/SgYe6SpMoyMYBXwhejQC58HqjkmwAj
vJ8DYsDEbCn+ALv3k3kfWKeVhKNPxPcKe1u0ANOFgJBTz8oktpC74rJD9pjdb+o9
2aYCPrwGRNfgeB2PWrlAzRjCW0nBTi/fzBargAAMw9vYtaQwxvOPUiv3CR3jeUgn
4VodOu5eH0YJ4BRPJ7y46tWx0NBKwIoYycQuocsP/kuvwoU+qly4S9vQCVtt921R
dzO74bnC4MlIvzeCjPxrYpB5mZbsHTP12XFd6ZmjrjJ3VAaEotpIVFCa1JdO6viG
gzn6+q1WnogM
=ITr0
-----END PGP SIGNATURE-----

--- End Message ---

__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. 
Please use
debian-j...@lists.debian.org for discussions and questions.